Ransomware – A Complex Attack Needs a Sophisticated Defense

A guest post from Arete, by

  • Jim Jaeger, President and Chief Cyber Strategist, Arete Incident Response
  • Larry Wescott, CISSP, Cyber Strategist, Arete Incident Response
  • Rae Jewell, Director, MDR & IR Security Operations, Arete Incident Response, contributed to this article.

A ransomware attack is not a simple infection from malware. It is a complex series of actions in which the initial infection is only the first step. A successful ransomware attack almost always involves a variety of attack vectors, frequently guided by human intervention. Successfully resisting a ransomware attack requires a solution that can neutralize the full range of threats from these vectors.

Microsoft recently issued a detailed report describing how complex ransomware variants, which are manually guided by their issuers, operate. Here are some of the characteristics of these human-guided ransomware variants:

  • They begin with unsophisticated types of malware which can trigger multiple alerts, but tend to be triaged as unimportant and not thoroughly investigated
  • They may drop multiple variants of malware until a variant is not caught by antivirus software
  • They can attack servers which have Remote Desktop Protocol (RDP) configured as open to the internet, and use brute force attacks to gain access to the corporate network
  • Once inside, they surveil the network
  • They can use other utilities to steal credentials to gain administrative privileges
    • They can then stop services such as antivirus protection or other services which may lead to their detection
    • Other tools are downloaded to enable persistence of the malware, elevation of privileges and clearing of event logs
  • They can execute PowerShell scripts connecting to a command and control server, allowing persistent control over other machines
  • They will stop Exchange Server, SQL Server and other similar services which can lock certain files so they cannot be encrypted
  • They can introduce legitimate binaries and use Alternate Data Streams to masquerade the execution of ransomware code as legitimate code

Ransomware Techniques Seen in the Wild

Execution of the ransomware payload at the highest privilege level with the fewest obstacles is the ultimate goal of the attacker. Often the attackers will also disable or encrypt on-line back-up systems so they cannot be used to recover data encrypted in the ransomware attack. We are now seeing some ransomware variants exfiltrating sensitive data with the additional goal of threatening the victim with exposure of the data if the ransom is not paid.

Other pernicious ransomware techniques include polymorphism, or code which constantly changes itself to avoid detection, and the use of fileless strategies to infect machines without dropping files onto the target machine. Some have noted the use of artificial intelligence tactics to take over some of the human-guided techniques described above, such as reconnaissance and scaling attacks.

AV Signatures Are Failing to Block Ransomware

Defensive antivirus systems which are signature-based are totally insufficient to repel attacks from this wide variety of potential attack vectors.

We respond to hundreds of ransomware attacks a year. In every case where the victim was using signature-based antivirus defenses, it did NOT detect the ransomware and allowed it to execute and encrypt critical data.

The National Institute of Standards and Technologies describes the limitations of signature-based detection systems this way:

Signature-based detection is very effective at detecting known threats but largely ineffective at detecting previously unknown threats, threats disguised using evasion techniques, and many variants of known threats. For example, if an attacker modified the malware to use a filename of “freepics2.exe”, a signature-based defense looking for “freepics.exe” would not match it.

Signature-based detection is the simplest detection method because it just compares the current unit of activity, such as a packet or a log entry, to a list of signatures using string comparison operations. Signature-based detection technologies have little understanding of many network or application protocols and cannot track and understand the state of complex communications. They also lack the ability to remember previous requests when processing the current request. This limitation prevents signature-based detection methods from detecting attacks that comprise multiple events if none of the events contains a clear indication of an attack.

The Next Step in Evolution: EPP

An Endpoint Protection Platform (EPP) is a step up the protection ladder. An EPP system is a

“set of software tools and technologies that enable the securing of endpoint devices. It is a unified security solution that combines antivirus, antispyware, intrusion detection/prevention, a personal firewall and other endpoint protection solutions.”

Although some EPP solutions include threat intelligence and data analytics, they sometimes lack capabilities such as the ability to analyze memory, which would allow detection of memory resident attacks, or existing operating system binaries and capabilities (such as PowerShell), which could detect LOL “living-off-the-land” attacks which hijack these operating system functions.

An EPP is an important step in the right direction, as a correctly deployed solution provides a defensive perimeter around the organization, on all of the endpoints which represent potential access channels for malware. Even one unmonitored access point may be all that is needed for an intruder to get inside and start the processes which could culminate in a successful ransomware attack.

A consequence of a fully deployed EPP solution, however, is a potentially massive amount of data generated by the endpoints, which must be analyzed in order to detect the hits that even a signature-based detection process would generate. That’s assuming that the malware can be detected by the signature based system – that constantly evolving polymorphic malware is not involved, and that the malware is identified by the signatures stored by the system, which, is not a given. Further, as the size of the business increases, obviously the magnitude of the data generated increases exponentially.

Problem Solved: EDR

But perhaps more importantly, as the NIST comment pointed out, a signature based system will not be able to analyze the context of an attack, and trigger an alert if a pattern emerges, such as repeated login attempts, especially over a number of endpoints, which may indicate a brute force attack. To the extent that an EPP solution contains threat intelligence or data analytics, it may be able to detect these kinds of attacks.

But as attacks grow more sophisticated, how those solutions implement their analytical capabilities may become an issue. In terms of sheer volume, a University of Maryland study estimated in 2007 that attacks occur every 39 seconds, a volume which has undoubtedly increased. Both cloud-based solutions and those involving a central database can present bottlenecks and delays in triggering alerts, which could provide attackers with critical advantages in establishing themselves inside networks. Attacks are also increasing in sophistication, with some seeing indications that attackers are beginning to incorporate artificial intelligence into their malware.

Endpoint detection and response (EDR) technology incorporates data analytics and threat intelligence solutions into a package which can respond to the threat, by killing or quarantining the malicious process. The most effective and advanced solutions are active EDR solutions, which incorporate artificial intelligence and machine learning (AI/ML) into behavioral analysis of system activity. These solutions apply data analytics at the endpoint, leveraging advanced methods of applying data science at the endpoint in real time, with minimal performance overhead. Another advantage of active EDR is autonomous response – the ability to respond to threats at machine speed. The use of AI allows active EDR to respond to a ransomware attack before the malware can encrypt the data – much more quickly than a human could respond to an alert.

Proud to Protect the World’s Leading Enterprises
The World’s Leading and Largest Enterprises Trust in SentinelOne.

Conclusion

By focusing on behavior rather than conformance to a signature, active EDR can detect patterns at variance with the system baseline, whether from new (or evolved) variants, or activities occurring within the network which are at odds from the normal. Processes indicating suspicious activity can be killed or isolated before they can spread.

Active EDR also automates analysis of the activity to provide context for the human analyst, thus reducing by orders of magnitude the data generated by an EPP solution. This additional context reduces the amount of time required for human analysis, thus either allowing them to keep up with the anomalies generated by the system, or otherwise reducing the number of human analysts required in the absence of the active EDR system.

We routinely employ active EDR technology on every ransomware incident that we respond to and find it to be 100% effective in containing and neutralizing the malware. Active EDR enables us to confidently recover encrypted systems into a clean environment, whether we are restoring from (off-line) back-ups or employing decryption keys. Active EDR technology has proven to be effective against the most persistent ransomware variants being employed by attackers. Once our clients see how effective the active EDR tools we employ during our incident response operations are, they frequently purchase these systems for long term use on their networks.